include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example ---- Imports System.IO Imports Microsoft.Win32.SafeHandles Imports System.Security.AccessControl Imports System.IO.Compression Imports System.IO.IsolatedStorage Imports System.IO.MemoryMappedFiles ' Use interop to call the CreateFile function. ' For more information about CreateFile, ' see the unmanaged MSDN reference library. Private Shared Function CreateFile(ByVal lpFileName As String, ByVal dwDesiredAccess As UInteger, ByVal dwShareMode As UInteger, ByVal lpSecurityAttributes As IntPtr, ByVal dwCreationDisposition As UInteger, ByVal dwFlagsAndAttributes As UInteger, ByVal hTemplateFile As IntPtr) As SafeFileHandle End Function ' Review any static method call of File and Directory File.Exists("test.txt") ' Sensitive Directory.Exists("test") ' Sensitive ' Review any instantiation of FileInfo and DirectoryInfo and check how they are used new FileInfo("test.txt") ' Sensitive new DirectoryInfo("test") ' Sensitive ' Review the creation of SafeFileHandle and how it is used. SafeFileHandle handle = CreateFile(...) ' Sensitive, using the imported function new SafeFileHandle(IntPtr.Zero, false) ' Sensitive ' Sensitive: review the creation of FileStream and other Streams accepting a file path. new FileStream("test.txt", FileMode.Create) new StreamWriter("test.txt", ...) ' Sensitive new StreamReader("test.txt", ...) ' Sensitive ' Review those two methods as they create file and directories. Path.GetTempFileName() ' Sensitive Path.GetTempPath() ' Sensitive new FileSecurity("test.txt", AccessControlSections.All) ' Sensitive ' Review all calls to static methods of ZipFile as they create file and/or directories ZipFile.CreateFromDirectory("test.txt", "test.zip") ' Sensitive ' Review all calls to static methods of IsolatedStorageFile IsolatedStorageFile.GetMachineStoreForApplication() ' Sensitive ' Review all instantiation of IsolatedStorageFileStream and how they are used new IsolatedStorageFileStream("test.txt", ...) ' Sensitive ' Review all Create* and Open* static methods of MemoryMappedFile and how the resulting file is used MemoryMappedFile.CreateFromFile("test.txt") ' Sensitive ---- == Exceptions The creation of ``++FileStream++`` from a ``++SafeFileHandle++`` won't raise an issue as the creation of ``++SafeFileHandle++`` already raised one. Only the creation of ``++StreamWriter++`` or ``++StreamReader++`` from a string path will raise an issue for the same reason. include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]